Description: gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)

What's source routing?

Under normal conditions, the sender of a TCP/IP data packet exercises no control over how the packet gets to its destination. The sender simply sends the packet and relies on intermediate routers to dynamically select the best route, as determined by network traffic, router availability and other factors. It's entirely possible that every packet going between Point A and Point B could take a different route.

Source routing allows the sender of the packet to specify the route that a packet must take in traveling to the destination. If the selected route is not available for any reason, the packet would not be delivered. If the recipient replied to the packets, the response would follow the same route.

Why is source routing a security problem?

Source routing is a legitimate activity in some cases. For instance, it can be used to discover the IP addresses of routers within a network. However, it also has the potential for misuse. A malicious user could use source routing to learn more about a network that he or she is targeting for attack. Data packets contain information about where they have been and what machines they have transited. A malicious user might send data into a network in order to collect information about the network's topology. If he or she can perform source routing, they can probe the network more effectively by forcing packets into specific parts of the network.

Source routing also enables certain types of attacks. For example, suppose an attacker is unable to attack Company A because it has a well-configured firewall, but learns that Company B, which has no firewall, is allowed to directly connect to Company A behind its firewall. Source routing would allow the attacker to direct packets to Company A via Company B and circumvent the firewall.